Network Attack Surface

by Brent Kirkpatrick

(Date Published: 1/24/2018.)

Every network has vulnerabilities that are exposed.

Critical vulnerabilities will be exposed to certain portions of your network. This happens because vulnerabilities are announced before patches are available or installed. This is the network attack surface---which vulnerabilities are exposed to which parts of your network.

Suppose you have an old, unsupported Windows 95 machine, that you absolutely must keep running and keep connected to the Internet. This machine has major vulnerabilities. Where do those vulnerabilities appear on your network attack surface?

Suppose you have a network of 10 routers and 100 end-points, some of which are clients and some are servers. There are at least 3.5 x 10113 ways to arrange your network. You want a configuration that aids security and reduces your network attack surface.

With a dynamic network where some uses move from router to router, you need to be even more careful of the network attack surface. Suppose your unsupported Windows machine is a laptop that uses the wireless network. How do you arrange your wireless routers to mitigate the vulnerabilities of a mobile, unsupported computer? It is literally a walking mess of vulnerabilities.